Privacy Notice

This website is operated by the Isle of Man Gambling Supervision Commission (GSC) whose principal place of business is Ground Floor, St George’s Court, Myrtle St, Douglas, Isle of Man, IM1 1ED. The GSC is an independent statutory board sponsored by the Treasury, a department of the Isle of Man Government.

The GSC was originally set up in 1962 but became a statutory board under the Gambling Supervision Act 2010, to regulate gambling taking place in the Isle of Man.

In order to carry out our regulatory functions and meet our legal responsibilities, we need to collect certain personal data and, when we do, we are a ‘data controller’ of that information for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the European Union including the Isle of Man), the Isle of Man Data Protection Act 2002 (until superseded by the 2018 Act) (the Data Protection Act) which supplements GDPR, extends its application in the Isle of Man, and implements the Law Enforcement Directive (which relates to processing personal data for law enforcement purposes) (the "LED") in the Isle of Man.

We are registered with the Information Commissioner’s Office as a data controller. Our registration number is: N002090.

This statement contains information about:

What constitutes personal data and special category data

What personal data we collect, for what purpose, and the legal basis for doing so

What are cookies?

Our use of cookies

How we use information website visitors provide us with

Links to other websites

How long we keep information

Keeping your personal information secure

Obtaining data from third parties

Who we share personal data with

Your rights

Accessing your personal data

Overseas transfers

Changes to this privacy statement

How to contact us

How to complain

Do you need extra help?

Personal data and special category data

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. It can include your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

What personal data we collect, for what purpose, and the legal basis for doing so

We collect and process personal data based on one or more of the following legal bases:

Consent: the individual has given clear consent for us to process their personal data for a specific purpose

Contract: the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract

Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)

Vital interests: the processing is necessary to protect someone’s life

Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being:

Processing is necessary for reasons of substantial public interest, on the basis of Isle of Man law and is proportionate to the aim pursued, or

Processing is necessary for the establishment, exercise or defence of legal claims

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the exercising of our statutory functions and/or in the public interest. We have sought to explain how this works below and also what other lawful bases apply to our processing of data in the relevant categories.

We will also be acting as an enforcement body in relation to certain gambling offences, and processing data for this purpose. The effect of this is picked up below.

Licence applicants

When we receive an application for a licence/certificate/permit for a business1, or carry out vetting processes for 'key persons' in relation to any application2, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence/certificate.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested will leave the GSC unable to proceed with the application leading to the application being refused, and can constitute an offence a number of the GSC’s Acts3.

If we find that any individual does not meet the necessary standards required by law, they may not be approved to undertake a vetted role. It is also vital that care is taken to ensure that the information supplied is accurate and contemporaneous (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that any approval issued may be reviewed and potentially revoked.

We are required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as criminal records registries and other regulatory bodies. Obtaining data from third parties is explained further below.

The regulatory objectives under the Gambling Supervision Act 2010 are:

ensuring that gambling is conducted in a fair and open wayWhen we receive an application for a licence/certificate/permit for a business1, or carry out vetting processes for 'key persons' in relation to any application2, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence/certificate.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested will leave the GSC unable to proceed with the application leading to the application being refused, and can constitute an offence a number of the GSC’s Acts3.

If we find that any individual does not meet the necessary standards required by law, they may not be approved to undertake a vetted role. It is also vital that care is taken to ensure that the information supplied is accurate and contemporaneous (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that any approval issued may be reviewed and potentially revoked.

We are required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as criminal records registries and other regulatory bodies. Obtaining data from third parties is explained further below.

The regulatory objectives under the Gambling Supervision Act 2010 are:

Ensuring that gambling is conducted in a fair and open way

Protecting children and other vulnerable persons from being harmed or expolited by gambling

Preventing gambling from being a source of crime, to be associated with crime or disorder and or used to support crime

In line with these objectives, our collection of personal data for licensing purposes may also be used to:

Comply with our statutory function and legal obligations

Inform our regulatory work in accordance with these objectives – including investigations and enforcement

Assist other regulators or law enforcement agencies

Check our level of service and to help us improve things where we can

Conduct research/collate statistics for publication and/or for the purposes of formulation of policy. Although, in this case, the persons’ data will not identify individuals (in other words, it will be anonymised)

People who already hold a licence

We publish the names of all companies and individuals who hold operating licences in the Isle of Man.

People we are investigating/ regulatory action

The Gambling Supervision Act 2010 Act requires that the GSC supervise activities for the purposes of ensuring the regulatory objectives are met. In order to meet these objectives the GSC must assess compliance with its various Acts and Regulations and in certain instances investigate whether any offence may have been committed under the Acts and institute criminal proceedings, in which case the relevant provisions of the LED (as implemented by the Data Protection Act) will be engaged.

The GSC will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of approved persons and licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

Complainant data

Our Player Protection page explains how you might raise a complaint with the GSC about one of its licensees.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint.

We will ordinarily have to share the complainant’s identity with the operator or person complained about. It may be necessary for the person complained about to access any relevant information they hold on a complainant (e.g. relevant customer account details, history, etc.) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively. If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file.

We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.

Employees - prospective, past and present

When people apply to work for us, we process data in the course of deciding applications, and also to monitor our recruitment process.

To ensure we are an equal opportunities employer we will collect certain information which may be categorised as special category data. The information is not used for the purposes of the application itself however and is treated with strictest confidence. The information is important to monitoring recruitment and may be used to assist us in helping to deliver equal opportunity measures.

Successful applicants' personal data will be processed in line with our internal Privacy Policy. We will generally dispose of unsuccessful applicants’ applications within one year of the process being complete; although we may ask for their consent to keep the information for a longer period if, for example, there is the prospect of a relevant vacancy arising in the future.

Other people we come into contact with, provide services to, and stakeholders in the industry

From time to time we come across third parties who are in some way relevant to our work as a regulator. This category is broad and might include advisers to operators/ personal licensees, witnesses relevant to an investigation and personnel at connected bodies or other regulators/ enforcement agencies. We may use this personal data either in the context of our regulatory functions referred to above, or for reasons connected to the gambling industry more generally.

What are cookies?

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small text files known as cookies. These cookies do not collect any personally identifiable information and as such cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

Enabling a service to recognise your device so you don’t have to give the same information several times during one task

Recognising that you may already have given a username and password so you don’t need to do it for every web page requested

Measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast; and

Analysing anonymised data to help us understand how people interact with our services so we can make them better

Our use of cookies and managing cookies on your device

You can learn more about how the GSC uses these small files at Cookies, and/or learn how to manage these small files yourself at AboutCookies.Org.

Cookies to support specific elements of the site

These may include cookies to record that we have already presented you with a piece of information which you would find intrusive and annoying if we continually re-presented.

These may include notifications about the availability of new features or applications, and warning notices; and/or cookies to retain settings or choices that you have made earlier during your visit to our site, so that we can reapply those choices when you revisit the relevant pages. These save you effort in re-selecting the settings or making the choice, improving your experience of the website, for example, pre-populating complex search criteria screens with previous values, or collating selections you have made throughout your visit.

Cookies set by other websites through this site

We want to provide interesting and engaging content on our website. We may embed photos and video content from websites such are YouTube and Flickr. As a result, when you visit a page with content embedded from, for example, YouTube, you may be presented with cookies from these websites.

We do not control the dissemination of these cookies and recommend that you check the relevant third party website for more information about these.

Most web browsers allow some control of most cookies through the browser settings. To find out more, including how to see what cookies have been set and how to manage and delete them, visit About Cookies or All About Cookies. Please be aware, however, that without cookies you may not be able to use the full functionality of the Site.

If you wish to view your cookie code, just click on a cookie to open it. You'll see a short string of text and numbers. The numbers are your identification card, which can only be seen by the server that gave you the cookie. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

Linking to us

You do not have to ask permission to link directly to pages hosted on this Site, unless the page is within a secure part of the Site, in which case the functionality of this Site will prevent you doing so successfully. We do not object to you linking directly to the information that is hosted on our Site. However, you may not load a page from our Site directly into a frame on another website. The page from our Site should load into the user's entire window.

Linking by us

We are not responsible for the content or reliability of any website that we may link to. If we link to another website, that linking should not be taken as endorsement of any kind. We cannot guarantee that these links will work at all times. If you do experience a failed link, please report it by contacting us.

If you would like us to correct or update any information, or if you would like information deleted from our records, then please contact us on gaming@gov.im, or write to:

How long we keep the information

We operate under a detailed data retention policy which sets out how long certain categories of data will be retained and/or how often certain data will be reviewed for the purpose of assessing whether it needs to be retained.

The main retention periods operated by the GSC are as follows:

Duration of approval + 7 years for licensing and approval related documentation

7 years for compliance related documentation, complaints against licensees and also for enforcement activities

We will use technical and organisational measures in accordance with good industry practice to safeguard your information.

Obtaining data from third parties

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

In order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may where required include data from organisations which provide enhanced due diligence reports, as well as public registers, and information from other regulatory bodies. As part of our applications process, we include an Authorisation for release of information – which confirms (for the purposes of the third parties we approach) applicants’ agreement to the supply of information from governmental and public bodies, financial institutions etc

To the extent the relevant information requested/supplied by these third parties constitutes personal data; we do not rely on consent as the lawful basis for processing the same. As explained above, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.

From operators at our request for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objectives under the Gambling Supervision Act 2010. This may include information about problem gamblers, for example

From complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation

Data provided by licence applicants identifying people relevant to the application who are not the applicants themselves

In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties.

In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process.

In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under the GSC’s various Acts) and/or notifying individuals would involve disproportionate effort.

Who we share personal data with

Your data may be shared with third parties who fulfil a service on our behalf, and under our express instructions.

It may also be shared with other bodies where it is necessary to do so and where we are legally required or permitted to do so.

This may include relevant public authorities, gambling operators, other regulatory authorities and law enforcement agencies (including overseas).

We also share data with third parties for the purpose of vetting applicants. Such third parties typically include Disclosure and Barring Service, ACRO Criminal Records Office, Financial Intelligence Unit, Customs and Excise, the Financial Supervision Authority.

Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed/ approved, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax and gaming duty.

Your rights

Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the GDPR/ the Data Protection Act – some of these are set out below. If you have any questions about this, please contact our Data Protection Officer at the address stated above.

The right to rectification

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete.

The right to erasure

In limited circumstances you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.

As most of our processing is conducted in order for us to perform a public task and/or comply with a legal obligation, this right will not be available in most circumstances.

The right to restrict processing

You have the right to seek to restrict processing of your data in the following circumstances:

The accuracy of the data is contested – for a period necessary to allow us to verify its accuracy

The processing is unlawful and you request restriction instead of erasure

We no longer need the data for the purposes it was collected, but you need it in connection with a legal claim

The right to object to processing

You have the right to object to our processing of data which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

Law enforcement processing

The Data Protection Act (implementing the LED) sets out how the rights (together with rights of access – explained below) apply in circumstances where we are prosecuting/conducting law enforcement processing. This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate: to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties; to avoid obstructing an official or legal inquiry, investigation or procedure; or to protect public security, national security, or the rights and freedoms of persons other than the data subject.

Accessing your personal data

You have the right to confirmation as to whether or not we hold/are processing your personal data, a description of it, the reasons we hold it, the period it will be retained for, to whom the information could be disclosed, and a copy of the information in an intelligible form.

There is no fee to access your data but a subject access request must be made in writing. You can submit your request by post or email to:

Two documents (one must be a photographic id document, one must be an address identity document) to identify themselves to the satisfaction of the GSC, between which they must clearly show:

Your name

Your photograph

Your current postal address

Your date of birth

Your signature

To ensure confidentiality, we will need evidence which confirms your identity, for example:

birth certificate

driving license

passport

medical card

bank statement

utility bill

Please do not send original documents.

The GSC is required by the provisions of the Data Protection Act, to provide you with the requested information within 40 days of receipt of this form. Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.

Please note - you may not be entitled to see all the information held about you if an exemption under the GDPR/ the Data Protection Act applies, e.g.: if it contains data mixed with other individuals’ data, if disclosure would prejudice the exercise of our regulatory functions or is subject to legal privilege. Requests which are manifestly unfounded or excessive will be refused.

Overseas transfers

Our systems are Isle of Man and UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.

Changes to this privacy statement

We keep this privacy statement under regular review and may change it from time to time. If we change this statement we will post the changes on this page, and place notices on other pages of our website as applicable.

How to contact us

Please contact our Data Protection Officer at the address stated above if you have any feedback or questions about this privacy statement.

How to complain

If you have any concerns about how we collect or process your data then you can write to our Data Protection Officer.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.